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Abstract 

This article introduces a fully automated verification technique that 
permits to analyze real-time systems described using a continuous notion 
of time and a mixture of operational (i.e., automata-beised) and descriptive 
(i.e., logic-based) formalisms. The technique relies on the reduction, under 
reasonable assumptions, of the continuous-time verification problem to 
its discrete-time counterpart. This reconciles in a viable and effective 
way the dense/discrete and operational/descriptive dichotomies that are 
often encountered in practice when it comes to specifying and analyzing 
complex critical systems. The article investigates the applicability of the 
technique through a significant example centered on a communication 
protocol. More precisely, concurrent runs of the protocol are formalized 
by parallel instances of a Timed Automaton, while the synchronization 
rules between these instances are specified through Metric Temporal Logic 
formulas, thus creating a multi-paradigm model. Verification tests run on 
this model using a bounded validity checker implementing the technique 
show consistent results and interesting performances. 
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1 Introduction 



There is a tension between the standpoints of modeUng and of verification when 
it conies to choosing a formal notation. The ideal modeling language would be 
very expressive, thus capturing sophisticated features of systems in a natural 
and straightforward manner; in particular, for concurrent and real-time systems, 
a dense time model is the intuitive choice to model true asynchrony seamlessly. 
On the other hand, expressiveness is often traded off against complexity (and 
decidability) , hence the desire for a feasible and fully automated verification pro- 
cess pulls in the opposite direction of more primitive, and less expressive, models 
of time and systems. Discrete time, for instance, is usually more amenable to 
automated verification, and quite mature techniques and tools can be deployed 
to verify systems modeled under this assumption. 

Another, orthogonal, concern of the real-time modeler is the choice between 
operational and descriptive modeling languages. Typical examples of opera- 
tional notations are Timed Automata (TA) and Timed Petri Nets, while tem- 
poral logics are popular instances of descriptive notations. Operational and de- 
scriptive notations have complementary strengths and weaknesses. For instance, 
temporal logics are very effective for describing partial models or requirements 
about the past (through the natural use of past operators); automata-based 
notations, on the other hand, model systems through the notions of state and 
transition, and are typically easy to simulate and visualize. Hence, from a mod- 
eling viewpoint, the possibility of integrating multiple modeling paradigms in 
formalizing a system would be highly desirable. 

This paper introduces a verification technique that, under suitable assump- 
tions, reconciles the dense/discrete and operational/descriptive dichotomies in 
an effective way. More precisely: (1) it permits to analyze continuous-time 
models using fully automated, discrete-time verification techniques; and (2) it 
allows users to mix operational (TA) and descriptive (metric temporal logic, 
MTL) components in the system specification. The technique is partial in two 
respects: it can fail to provide conclusive answers, and only dense-time behav- 
iors with bounded variability are verified. It involves an automated translation 
of the operational part into temporal logic notation, based on an MTL axiom- 
atization discussed in this paper. The resulting MTL model, describing both 
the system and the properties to be verified, is then discretized according to 
the techniques introduced in [16j . The discrete-time approximation can be an- 
alyzed through conventional tools; we provide an implementation based on the 
Zot bounded satisfiability checker [3^. 

We experimented with a significant example based on the description of a 
communication protocol by means of a timed automaton. Concurrent runs of 
the protocol are formalized by parallel instances of the same automaton; addi- 
tionally, the simple synchronization rules between these instances is naturally 
formalized by means of additional MTL formulas, hence building a mixed model. 
Verification tests run on these models showed consistent results, and acceptable 
performances. 

An interesting auxiliary contribution of the discretizable axiomatization of 
TA in MTL is a set of "rules of thumb" about how to describe systems based on 
the notion of state and transition with a logic formalism, in a way which is also 
amenable to discretization (according to the notion of [K]). Section [4] discusses 
this issue with great detail. 
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Finally, let us stress that our approach aims at providing a practical approach 
to the verification of operational (and mixed) models. Hence, we sacrifice com- 
pleteness in order to have a lightweight and fiexible technique. Also note that, 
although in this paper TA are the operational formalism of choice, the same 
approach could be applied to other operational formalisms, such as Timed Petri 
Nets. 

Structure of the paper. The paper is organized as follows. Section 11.11 
provides a sketch of the whole technique with as little technical details as pos- 
sible. Section 11.21 briefly summarizes some research related to the content of 
this paper. Section [5] introduces the technical definitions that are needed in 
the remainder, namely the syntax and semantics of MTL and TA, and the dis- 
cretization techniques from [iTl [16] that will be used. Section [3] shows how 
to formalize the behavior of TA as a set of dense-time MTL formulas. Then, 
Section |3] re-examines the axioms and suitably modifies them in a way which 
is most amenable to the application of the discretization technique; the over- 
all result is a set of discrete-time MTL formulas whose satisfiability is linked 
to the satisfiability of the original dense-time formulas according to the rules 
of the discretization technique. Section [5] describes the example of a simple 
communication protocol and reports on the experiments conducted on it with 
the SAT-based implementation of the technique. Finally, Section [H] draws some 
conclusions. 

1.1 Overview 

The goal of our technique is to provide a means to carry out practical verification 
technique of real-time systems described using a dense notion of time and a mix- 
ture of operational and descriptive notations. In particular, we assume a model 
of real time based on the notion of behavior, which is basically a continuous-time 
signal, and we consider a variant of TA as operational formalism and MTL as 
descriptive formalism. 

The most common approaches to similar verification problems involve trans- 
lating the logic into automata [2]. In this paper we take the mirror approach 
of describing TA through MTL formulas. This choice is mainly justified by the 
fact that logic formulas are naturally compositional, hence our ultimate goal of 
formally combining mixed models is facilitated by this choice. It is well-known 
that MTL is undecidable over dense time [4 ; this hurdle is however practically 
mitigated by employing the discretization technique for MTL introduced — and 
demonstrated to be practically appealing — in [TBI . Note that the undecidabil- 
ity of dense-time MTL entails that the reduction technique must be incomplete, 
i.e., there are cases in which we are unable to have a conclusive outcome to the 
verification problem. However, as demonstrated in ,16J, and further shown here, 
the impact of this shortcoming can be rendered small in many practical cases. 

We start by providing a dense-time MTL axiomatization of TA. Notice that, 
due to a well-known expressiveness gap between temporal logics and automata 
P5] it is impossible to describe the language accepted by a generic TA as an 
MTL formula. What we provide is instead a formal description of accepting 
runs of a TA as an MTL formula; in other words, we model the overall behavior 
of TA with a set of MTL axioms. The resulting MTL axioms are discretized 
according to the rules provided in [16j . We show that this yields poor results 
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if done naively; hence, we carefully revise the axiomatization and put it in a 
way which is much more amenable to discretization. The result is a set of 
discretized MTL axioms describing TA runs. These axioms can be combined 
with additional pieces of specification, written in MTL, and with the properties 
to be verified. The resulting complete model can then be analyzed by means 
of automated discrete-time tools; the results of the discrete-time analysis are 
then used, as defined in [T^ , to finally infer results about the verification of the 
original dense-time model. The experimental results are encouraging, both in 
terms of performances and in terms of "completeness coverage" of the method. 

In this paper we justify the soundness of the technique, which requires several 
analyses of the axiomatization and of the discretizations that are produced. It 
is important to understand, however, that the resulting technique (and tool) is 
completely automated, and the user has just to provide the dense-time model 
of the system (i.e., TA and MTL formulas) and the putative properties to be 
verified. 

1.2 Related Work 

To the best of our knowledge, our approach is rather unique in trying to com- 
bine operational and descriptive formalisms over dense time, then trading-off 
verification completeness against better performance and practical verification 
results. On the other hand, each of the "ingredients" of our method has been 
studied in isolation in the literature. In this section we briefly recall a few of 
the most important results in this respect. 

Dense-time verification of operational models is a very active field, and it 
has produced a few high-performance tools and methods. Let us mention, for 
instance, Uppaal [27 , Kronos 35j, HyTech [3Tj, and PHAVer 14J for the ver- 
ification of timed (and hybrid) automata. Notice that, although tools such as 
Uppaal allow the usage of a descriptive notation to express the properties to be 
verified, the temporal logic subset is very simple and of very limited expressive 
power. In contrast, we allow basically full MTL to be freely used in both the 
description of the model and in the formalization of the properties to be verified, 
at the price of sacrificing completeness of verification. 

Metric temporal logic (MTL) verification is also a well-understood research 
topic. MTL is however known to be undecidable over dense time domains T. A 
well-known solution to this limitation restricts the syntax of MTL formulas to 
disallow the expression of exact (i.e., punctual) time distances [5]. The resulting 
logic, called MITL, is fully decidable over dense time. However, the associated 
decision procedures are rather difficult to implement in practice and, even if re- 
cently significant progress has been made in simplifying them |28j , a serviceable 
implementation is still lacking. 

Another stance at working around the undecidability of dense-time MTL 
builds upon the fact that the same logic is decidable over discrete time. Hence, 
a few approaches introduce some notion of discretization, that is partial reduc- 
tion of the verification problem from dense to discrete time. The present paper 
goes in this direction by extending previous work on MTL [16] to the case of 
TA. A different discretization technique, based on the notion of robust satis- 
fiability of MTL specifications, has been introduced in [THj. Other work also 
deals with notions of robustness in order to guarantee that dense-time TA are 
implementable with non-ideal architectures |llj . Another well-known notion of 
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discretization is the one based on the concept of digitization [22j ; several authors 
have appHed this quite general notion to the practical verification of descriptive 
[Sni [M [3 [Ml or operational [5Dl[ia[71[S[ia[Hl[51[lIl[in] formalisms. See 
also the related work section of [Hj for more references about discretization 
techniques. 

2 Preliminaries and Definitions 
2.1 Behaviors 

Real-time system models describe the temporal behavior of some basic items 
and propositions, which represent the observable "facts" of the system. More 
precisely, an item it is characterized by a finite domain 2?'' (and we write it : I?'') 
such that at any instant of time it takes one of the values in P'*. On the other 
hand, a proposition p is simply a fact which can be true or false at any instant 
of time. 

A behavior is a formal model of a trace (or run) of some real-time system. 
Given a time domain T, a finite set V of atomic propositions, and a finite set of 
items J, a behavior 6 is a mapping b : T ^ x x ■ • • x P'^i^i x 2^ which 
associates with every time instant i e T the tuple b{t) = (wi, W2, . . . , P) 
of item values and propositions that are true at t. Bt denotes the set of all 
behaviors over T, for an implicit fixed set of items and propositions. 

b{t)\it and b{t)\-p denote the projection of the tuple b{t) over the component 
corresponding to item it and the set of propositions in 2^ respectively. Also, 
t G T is a transition point for behavior 6 if t is a discontinuity point of the 
mapping b. 

Whether T is a discrete, dense, or continuous set, we call a behavior over T 
discrete-, dense-, or continuous-time respectively. In this paper, we consider the 
natural numbers IN as discrete-time domain and the nonnegative real numbers 
lR,>o as continuous-time (and dense-) time domain. 

Non-Zeno and non-Berkeley. Over dense-time domains, it is customary to 
consider only physically meaningful behaviors, namely those respecting the so- 
called non-Zeno property. A behavior b is non-Zeno if the sequence of transition 
points of b has no accumulation points. For a non-Zeno behavior 6, it is well- 
defined the notions of values to the left and to the right of any transition point 
t > 0, which we denote as b^{t) and b^{t), respectively. 

In this paper, we are interested in behaviors with a stronger requirement, 
called non-Berkeleyness. Informally, a behavior b is non-Berkeley for some pos- 
itive constant 5 G Il>o if, for all i G T, there exists a closed interval [u, u + 5] 
of size 5 such that t G [u, w + (5] and b is constant throughout [u, u + 8\. Notice 
that a non-Berkeley behavior (for any 5) is non-Zeno a fortiori. The set of 
all non-Berkeley dense-time behaviors for (5 > is denoted by C Sr^^. In 
the following we always assume behaviors to be non-Berkeley, unless explicitly 
stated otherwise. 

Syntax and semantics. From a purely semantic point of view, a (real-time) 
system model is simply a set of behaviors [HJ I15| over some time domain T and 
sets of items and propositions. In practice, however, the modeler specifies a 
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system through some suitable notation. In this paper we consider Metric Tem- 
poral Logic (MTL) H] as descriptive notation, and TA [TJ [2] as operational 
notation. Their syntax and semantics are defined in the following. 

Given an MTL formula or a TA /i, and a behavior b, we write b \= n to 
denote that b describes a system evolution which satisfies all the constraints 
imposed by /i. li b \= n for some b e Bt, fi is called T-satisfiable; if 6 |= ^ for 
all b e Bt, M is called T- valid. Similarly, if 6 |= ^ for some b £ B^, fi is called 
X*-satisfiable; if 6 |= /i for all 6 G S^, ii is called x'^-valid. 

2.2 Metric Temporal Logic 

Let 'P be a finite (non-empty) set of atomic propositions, I be a finite set 
of items, and J' be the set of all (possibly unbounded) intervals of the time 
domain T with rational endpointsu Usually, one considers intervals with non- 
negative endpoints, but we permit negative endpoints to render the presentation 
more uniform and straightforward. Also, we abbreviate intervals with pseudo- 
arithmetic expressions, such as — d, < d, > d, for [d, d], (0,c?), and [d, -|-oo), 
respectively. 

MTL syntax. The following grammar defines the syntax of MTL, where / G 
J and /3 is a Boolean combination of atomic propositions or conditions over 
items, i.e., /3 ::= p | it = w | | /3i A /32 for p e P, it G Z, w e I?''! 

(/>::=/3|0iV02|0iA02|U,(/3i,/32) |S,(/3i,/32) \ Ri{(ii.P2) |T,(/3i,/32) 

In order to ease the presentation of the discretization techniques in Section 
12.41 MTL formulas are introduced in a flat normal form where negations arc 
pushed down to (Boolean combinations of) atomic propositions, and temporal 
operators arc not nested. It should be clear, however, that any MTL formula 
can be put into this form, possibly by introducing auxiliary propositional letters 
[I2lll9j. The basic temporal operators of MTL are the bounded until Uj (and its 
past counterpart bounded since Sj), as well as its dual bounded release (and 
its past counterpart bounded trigger Tj). The subscripts / denote the interval of 
time over which every operator predicates. In the following we assume a number 
of standard abbreviations, such as _L, T, =^>, and, when / = (0, oo), we drop 
the subscript interval of operators. The precedence order of logic connectives 
is, from the one of highest binding power: -i. A, V, =>, 

MTL semantics. MTL semantics is defined over behaviors, parametrically 
with respect to the choice of the time domain T. 

iThat is any X B I = {l,u) for some I < u where / G T n Q and u g (T n Q) U {±oo}, ( is 
one of ( and [, and similarly for ). 

^Note that —•{it = v) can be abbreviated as it 7^ v. 
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peb[t)\v 
v = h{t)\;, 

V^b{t)\;t 

there exists del such that: b{t + d) |=t /32 
and, for all u e [0, d] it is b{t + u) Pi 
there exists d G / such that: 6(i — d) |=t /32 
and, for all u S [0, d] it is b{t — u) \=f /3i 
for all c? S / it is: b{t + d) |=t /32 or there exists 
a M e [0, d) such that 6(t + u) |=t /3i 
for all d e / it is: b{t — d) |=t j32 or there exists 
a M S [0, d) such that 5(i — u) \=t Pi 
b{t) 4>i and |=t (t>2 
b{t) (/-i or b{t) \=T 4>2 
for all t £ T: b{t) 

We remark that a global satisfiability semantics is assumed, i.e., the satis- 
fiability of formulas is implicitly evaluated over all time instants in the time 
domain. This permits the direct and natural expression of most common real- 
time specifications (e.g., time-bounded response) without resorting to nesting of 
temporal operators. Also notice that our MTL variant uses operators that are 
non-strict in their first argument, i.e., the future and past include the present 
instant, and the until and since operators are matching, i.e., they require their 
two arguments to hold together at some instant in /. Other work |18j analyzes 
the impact of these variants on expressiveness. 
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Granularity. For an MTL formula </>, let be the set of all non-null, finite 
interval bounds appearing in (j). Then, is the set of positive values 5 such 
that any interval bound in is an integer if divided by 5. 

2.2.1 MTL+/MTL* syntax and semantics. 

In order to express the discretization relations in Section 12. 4( it is necessary 
to introduce some variations of the four basic temporal operators until, since, 
release, and trigger, denoted as U|, Sj, R|, and T|, respectively. Notice that they 
are not part of the language in which dense-time specifications and properties 
are to be expressed, and they are needed only to illustrate the discretization 
techniques. We call "MTL"*"" the extension of MTL with these operators, and 
"MTL*" the variant where we replace the operators Uj, Sj, Rj, Tj with Uj, Sj, 
R\, and T\, respectively. 

Let us define the semantics of the new variants of until and release. 
b{t) \=T Uj(/3i, /32) iff there exists del such that: b{t + d) \=y P2 

and, for all u G [0, d) it is b{t + u) /3i 
b{t) |=T Sl{(f>i, (f>2) iff there exists d € I such that: b{t — d) |=t (f>2 

and, for all u € [0, d) it is b{t — u) 4>i 
b{t) \=T R\{(j>i,(j>2) iff for all d g / it is: b{t + d) 02 or there exists 

a u e [0, d] such that b{t + u) 0i 
b{t) t=T Tj(0i, 02) iff for all d € / it is: 6(t — d) 1=^ 02 or there exists 

a M e [0, d] such that b{t — u) |=t 0i 
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2.2.2 Derived Temporal Operators 



It is useful to introduce a number of derived temporal operators, to be used as 
shorthands in writing specification formulas. We consider those listed in Table 
[1] (5 G JR>o is a parameter that will be used in the discretization technique 
described shortly). 



Operator = 


Definition 


0/(/3) ^ 


U/(T,/3) 


□/(/?) = 


S/(T,/5) 
R^(_L,/3) 


□/(/?) ^ 




0(/3) ^ 


U(o.+oo)(/5-T)V(^/3AR(o_+^)(A^)) 


0(/3) 


S(o,+oo)(AT)Vh/3AT(o__,^)(A±)) 


0(/3) 


/3AO(/3) 


0(/3) ^ 


_ /3AO(/3) 


A(/3i,/?2) = 


|b(/3i) A (/32 VO(/32)) ifT = R>o 


A(/3i,/32) = 


f/?i A0=5(/32) ifT = IR>o 
[/9i A0=i(/32) ifT = ]N 



Table 1: MTL derived temporal operators 



Let us describe informally the meaning of such derived operators, focusing on 
future ones (the meaning of the corresponding past operators is easily derivable) . 
<C>/(/3) means that f3 happens within time interval / in the future. Oj{/3) means 
that /3 holds throughout the whole interval / in the future. 0(/3) denotes that /3 
holds throughout some non-empty interval in the strict future; in other words, 
if t is the current instant, there exists some t' > t such that /3 holds over {t, t'). 
Similarly, 0(/^) denotes that P holds throughout some non-empty interval which 
includes the current instant, i.e., over some [t,t'). Then, A(/3i,/?2) describes a 
switch from condition /3i to condition P2, without specifying which value holds 
at the current instant. On the other hand, A(/3i,/92) describes a switch from 
condition /3i to condition /32 such that /3i holds at the current instant. 

In addition, for an item it we introduce the shorthand A(it, t;^, t;+) for 
A(it = v~ = v^). A similar abbreviation is assumed for A(it, , v^). 

Finally, let us abbreviate by A\w{(j)) the nesting MTL formula ^AD^q (0)A 

□ (•q +oo)(0); b Alw(0) iff b (f>, for any behavior b, so Alw(0) can be ex- 
pressed without nesting if </> is flat, through the global satisfiability semantics 
introduced beforehand. 



2.3 Operational Model: Timed Automata 

We introduce a variant of TA which differs from the classical definitions (e.g., [T]) 
in that it recognizes behaviors, rather than timed words [ll[5S]. Correspondingly, 
input symbols are associated with locations rather than with transitions. Also, 
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we introduce the following simplifications that are known to be without loss 
of generality: we do not define location clock invariants (also called staying 
conditions) and use transition guards only, and we forbid self-loop transitions. 

On the other hand, we introduce one additional variant which does im- 
pact expressiveness, namely clock constraints do not distinguish between dif- 
ferent transition edges, that is between transitions occurring right- and left- 
continuously. This restriction is motivated by our ultimate goal of discretizing 
TA: as it will be explained later, such distinctions would inevitably be lost in 
the discretization process, hence we give them up already. 

Finally, for the sake of simplicity, let us not consider acceptance conditions, 
that is let us assume that all states are accepting. Note, however, that introduc- 
ing acceptance conditions (e.g., Biichi, MuUer, etc.) in the formalization would 
be routine. 

Timed automata syntax. For a set C of clock variables, the set $(C) of 
clock constraints ^ is defined inductively by 

e::=c</c|c>fc|CiA6 UiV6 

where c is a clock in C and fc is a constant in Q>o. 

A timed automaton A is a, tuple (E, S, Sq, a, C, E), where: 

• E is a finite (input) alphabet, 

• 5" is a finite set of locations, 

• S'o ^ is a finite set of initial locations, 

• a : S" ^ 2^ is a location labeling function that assigns to each location 
s G S" a set a{s) of propositions, 

• C is a finite set of clocks, and 

• C 5'xS'x2'^x$(C) is aset of transitions. An edge (s, s'. A, ^) represents 
a transition from state s to state s' ^ s; the set A C C identifies the clocks 
to be reset with this transition, and ^ is a clock constraint over C. 

Timed automata semantics. In defining the semantics of TA over behav- 
iors we deviate from the standard presentation (e.g., [IIEHI) in that wc do not 
represent TA as acceptors of behaviors over the input alphabet E, but rather as 
acceptors of behaviors representing what are usually called runs of the automa- 
ton. In other words, we introduce automata as acceptors of behaviors over the 
items St and in representing respectively the current location and the current 
input symbol, as well as propositions rsdcec representing the clock reset status. 
This departure from more traditional presentations is justified by the fact that 
we intend to provide an MTL axiomatic description of TA runs — rather than 
accepted languages, which would be impossible for a well-known expressiveness 
gap [53] — hence we define the semantics of automata over this "extended" 
state from the beginning. 

Let us first define the semantics only informally. Initially, all clocks are reset 
and the automaton sits in some state sq e 5*0. At any given time t, when the 
automaton is in some state s, it can take nondeterministically a transition to 
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some other state s' such that (s, s', A,^) is a vahd transition, provided the last 
time (before t) each clock has been reset is compatible with the constraint ^. If 
the transition is taken, all clocks in A are reset, whereas all the other clocks keep 
on running unchanged. Finally, as long as the automaton sits in any state s, 
the input has to satisfy the location labeling function a(s), namely the current 
input corresponds to exactly one of the propositions in a(s). 

Formally, a timed automaton A — (S, S, Sq, a, C, E) is interpreted over be- 
haviors over items st : S, in : S and propositions R = {rsdcec- Intuitively, at 
any instant of time st — s means that the automaton is in state s, in = cr 
means that the automaton is reading symbol cr, and rSc keeps track of resets 
of clock c (more precisely, we model such resets through switches, from false to 
true or vice versa, of rSc). 

Let h be such a behavior, and let t be one of its transition points. Satisfaction 

of clock constraints at t is defined as follows: 
b{t) \= c < k iff either h~ (t) ^ rSc and there exists a,t — k<t'<t 

such that b(t') ^ rSc, or b^{t) ^ rSc and there 

exists at — k<t'<t such that b{t') |= rSc 
b{t) \= c> k iff either b~ {t) ^ rSc and for all t - k < t' < t : 

b'{t) ^ rSc; or b~{t) ^ rSc and for all 

t-k<t' <t: b(t') ^ rSc 
Notice that this corresponds to looking for the previous time the proposition rSc 
switched (from false to true or from true to false) and counting time since then. 
This requires a little hack in the definition of the semantics: namely, a first start 
reset of all clocks is issued before the "real" run begins; this is represented by 
time instant igtart in the formal semantics below. 

Then, a behavior b over st : S", in : E, i? (with b : R>o — * S" x E x 2^) is a 
run of the automaton A, and we write b \=u^o A, iff: 

• b{0) ~ (so, cr, y^gpjrsc}) and a G a(so) for some sq e So; 

• there exists a transition instant istart > such that: &(t)|st = sq and 

bit)\R = Rior alio <t < t^tart, ^^(istart) = (so,Cr",p") and 6+(tstart) = 

(s+, cr+, p+) with ^ R and p+ = 0; 

• for aU t e R>o: fe(t)|m G a{b{t)\st); 

• for all transition instants t > igtart of &|st or such that b^{t) = 
(s",cr",p"} and b+{t) = (s+,cr+,p+}, it is: (s",s+,A,^) e cr" G 
a{s-), a+ e a(s+), p = UcgaIi'Sc}, P+ ^ P^^P ^ (p^ \ p) U {p\ p-), and 

2.4 Discrete-Time Approximations of Continuous-Time 
Specifications 

In |16j we presented a technique to reduce the validity problem for MTL specifi- 
cations over dense time to the same problem over discrete time. In this section 
we concisely summarize the fundamental results from |16| that are needed in 
the remainder of the paper, and we provide some intuition about how they can 
be applied to our discretization problem. 
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2.4.1 Under- and Over-approximations of Formulas 

We introduce two approximations of MTL formulas, called under- and over-ap- 
proximation. 

Under-approximation. The approximation function fls (•) maps dense-time 
MTL formulas to discrete-time MTL* formulas such that the non-validity of 
the latter implies the non- validity of the former, over behaviors in B^. More 
precisely, for MTL formulas such that the chosen sampling period S is in 2?^, 
ils (•) is defined as follows. 

ns (/?) = /? 

ns {(Pi A (1)2) = ns A ns (02) 
ns ((/.I V = V ns (02) 



<5 (U(;,„)('^l>2)) = Uf,/^^„/5j(f}5 (0i) ,17^ (02)) 
^MS(/,«>('^l''?^2)j = S[,/^^^/^-](riA- (0i) ,ri5 (02)) 

^^MR(/,«>('^i:'^2)l = R\i/s,u/s)i^s{MMsm) 

("■"(;,„) ('/'I >2)j = T|,/_5^^/^^(f]i (0i) (02)) 

Over-approximation. The approximation function (•) maps dense-time 
MTL formulas to discrete-time MTL formulas such that the validity of the latter 
implies the validity of the former, over behaviors in B^. More precisely, for MTL 
formulas such that the chosen sampling period S is in P^, (•) is defined as 
follows. 



Os 


if}) 


= /3 






Os 


(01 V 02) 


= 0^(01) V 0^(02) 






Os 


(01 A 02) 


= 0^(01) A 0^(02) 






Os 


rU^,„^(01,02)) 


= ^[l/S+l,u/S-l]i^S { 


0i),Oa-( 


02)) 


Os 


(S{;,„)('^1>2)) 


= ^[l/S+l,u/S~l]i^^ i' 


h),Os {. 


h)) 


Os 


(R(i,n)('/'l>2)| 


= ^[l/S-l,u/S+l]{^^ ( 


0l),O5( 


h)) 


Os 


(T(Z,„)(01,02)) 


= '^[l/S-l,u/S+l]i^S { 


0i),Oa-( 


02)) 



2.4.2 System Verification through Approximation 

We have the following fundamental verification result from 16J, which provides 
a justification for the TA verification technique discussed in this paper. 

Proposition 1 (Approximations [16j). For any MTL formulas 0i,02, and 
for any d G V^^^^^: (1) if KhN{Q.s{4>i)) Alw(05 (02)) is TN-valid, then 
Alw(0i) =^ Alw(02) is -"valid; and (2) if Alw(Oa (0i)) =J> Alw(05 (02)) is 
not IN-valid, then Alw(0i) Alw(02) is not x'^-valid. 

2.4.3 Discussion 

Proposition[T]suggests a verification technique which builds two formulas through 
a suitable composition of over- and under-approximations of the system descrip- 
tion and the putative properties, and it infers the validity of the properties from 
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the results of a discrete-time validity checking. The technique is incomplete 
as, in particular, when approximation (1) is not valid and approximation (2) is 
valid we cannot infer anything about the validity of the property in the original 
system over dense time. 

Let us now provide some evidence about why different, but equivalent, dense- 
time formulas can yield dramatically different — in terms of usefulness — ap- 
proximated discrete-time formulas. We provide one in-the-small example for 
over-approximations and one for under-approximations. More concrete exam- 
ples will appear in Section H] when building approximations of TA's axiomatic 
description. 

Let us consider dense-time MTL formula di = □jg^^(p) which, under the 
global satisfiability semantics, says that p is always true. Its under-approxi- 
mation is ils (^i) — Og^{p) which holds for any discrete-time behavior! Thus, 
we have an under-approximation which is likely too coarse, as it basically adds 
no information to the discrete-time representation. So, if we build formula 
(1) from Proposition [T] with Us {9i) in it, it is most likely that the antecedent 
will be trivially satisfiable (because fls {0i) introduces no constraint) and hence 
formula (1) will be non- valid, yielding no information to the verification process. 
If, however, we modify 9i into the equivalent 9'i = p A 9i we get an under-ap- 
proximation which can be written as simply Qg (9'i) = p, which correctly entails 
that p is always true over discrete-time as well. This is likely a much better 
approximation, one which better preserves the original "meaning" of 9i. 

Let us now consider dense-time MTL formula 02 — 0[o 2S] (P)' '^hich describes 
a proposition p which is false for no longer than 2S time units. If we compute 
its over- approximation, we get Os (6*2) = 0=i(p) which, under the global satisfi- 
ability semantics, entails that p is always true. Although the actual assessment 
depends on the role 9 plays in the overall specification, it is likely that this 
over-approximation is too coarse, as it basically adds "too strong" information 
to the discrete-time representation. So, if we build formula (2) from Proposition 
□ with Os (92) in it, it is very likely that the antecedent will be unsatisfiable 
(because Os (^2) introduces a very strong constraint) and hence formula (2) will 
be valid, yielding no information to the verification process. On the contrary, 
if we simply modify 92 into the equivalent 92 — p W 92 we get an over-approxi- 
mation which can be written as Os (^^2) = ^[0 i](P)' P false no more than 
every two time steps. This looks like a much better approximation, one which 
better preserves the original "meaning" of ^2- 

3 Formalizing Timed Automata in MTL 

Let us consider a timed automaton A — (S, S, Sq, a, C, E) and let us formalize 
its runs over non-Berkeley behaviors for some (5 > 0. In other words, we are 
going to provide a set of formulas 0i, . . . such that, for all non-Bcrkcley 
behaviors b, h \= A \S h \= (t)j for all t = 1. . . . f6l 

Translating clock constraints. We associate an MTL formula 5(^) to every 
clock constraint ^ such that b{t) ^ ^ iff h{t) \= S(^) at all transition points t. 
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S(^) can be defined inductively as: 

E{c<k) EE O(rsc) A V(o,fe)(-rs,) V _0(-rs,) A V(o,fc)(''Sc) 

E{c>k) = O(rsc) A □(0,fc)(rsc) V 0(-rs,) A □ (o,fc) (-rs,) 
^1 A 6 = ^1 A "2 

Basically, S translates the guard ^ by comparing the current time to the last 
time a reset for the clock c happened, where a reset is signaled by a switching 
of item rSc. Notice that this assumes the existence of a "first reset" of all clocks, 
as specified in the formal semantics of TA, and as will be postulated in Formula 
([5|) below. Also notice that, when computing the approximations of the clock- 
constraint formulas, we will have to require that every constant k used in the 
definition of the TA is an integral multiple of 6. 



Necessary conditions for state change. Let us state the necessary condi- 
tions that characterize a state change. For any pair of states Si,Sj G S such 

\k ck\ a TP tn-,. oU 1 ^ J, ^ , 



that there are K transitions {si, Sj, A*^, ^''') G E for al\l < k < K, we introduce 



the axiom: 

A(st,s„Sj) ^ V^^^'') ^ A (A(-rs„rs,) V A(rSe,-rs,)) (1) 

k cSA* 

Complementarily, we introduce an axiom to assert that for any pair of states 
Si ^ Sj £ S such that (si, Sj, A, ^ E for any cr. A, ^, i.e., for any pair of states 
that are not connected by any edge: 

-A(st,s,,sj) (2) 

Sufficient conditions for state change. We have multiple sufficient con- 
ditions for state changes; basically, they account for reactions to reading input 
symbols and resetting clocks. Let us consider input first: the staying condition 
in every state must be satisfied always, so for all s G 5* we add the axiom: 

St = s => in G a{s) (3) 

Then, for each reset of a clock c G C, let us consider all edges of the form 
{s\, s*^, A*^,^*^) G E, such that c G A*^. Hence, we introduce the pair of axioms: 



A(-rSc,rSc) ^ \J A{st, s\ , s)) 



A(rsc,-rse) ^ \/ A{st, s^^ , s]) ^ \J U ^^^^^A /\ rs, hsX ^ sA (4) 
k soeSo \ceC ) 

Note that the second axiom has an additional part that takes into account the 
instants before the first reset (which must occur somewhere as shown in ([5|) , and 
which corresponds to the instants before tgtart in the formal semantics), whereas 
the first one is not applicable before such a first reset. 
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Initialization and liveness condition. We complete our axiomatization by 
first describing the system initialization. 

We remark that the following axiom is only evaluated at 0. Notice that, 
under the global satisfiability semantics and with a mono-infinite time domain, 
a formula (jp that should be only evaluated at can be expressed as □ (_L) ^ (fP , 
as □(^) holds only where there is no past, i.e., at 0. 



Notice that we make the axiomatization slightly more "deterministic" than the 
formal semantics, in that we require that istart, when the first reset of the 
clocks occurs, is between and 25\ this, combined with the non-Berkeleyness 
requirement, says that it actually occurs between 5 and 25. All in all, ([5]) 
pictures the following initialization: 

• rSc holds over [0, S] for all c G C; 

• rSc switches to false at some istart G ((5, 25] for all c G C (clearly, this tran- 
sition point is the same for all c £ C, still because of the non-Berkeleyness 
assumption) ; 

• St = So holds for some so £ S^) over [0, 5]] 

• because of the non-Berkeleyness assumption, if st changes in (5, 25] it does 
so together with the resets at tstart; 

• A(rSc,-irSc) holds at tstart for all c £ C; the consequent of is true 
because of the disjunct □ (o,+oo) (Acgc ''^c A st = sq) which holds at igtart- 

Finally, often we introduce a "liveness" condition which states that we even- 
tually have to move out of every state, corresponding to the fact that all states 
are accepting d la Biichi. Thus, for every state s £ S*, let 5^ C 5 be the set 
of states that are directly reachable from s through a single transition; then we 
consider the axiom: 



3.1 About the Correctness and Completeness of the Ax- 
iomatization 

We omit a proof of the completeness and correctness of the axiomatization; we 
refer the reader to [191 App. D.6] where a proof for a similar axiomatization is 
sketched. Here, we just add a few remarks that can help justify the correctness 
and appropriateness of the present axiomatization. 

Proposition 2 (MTL TA Axiomatization). Let A = (E, 5, Sq, a, C, S) he a 
timed automaton, . . . , <j>^ be formulas l^Wi) for TA A, and let b £ be 
any non- Berkeley behavior over items st : S*, in : E and propositions in R. Then 
b\^ A for some tstart £ i^, 2(5)|1 if and only if b ^ Ai<j^0/- 

^This additional condition is introduced to take into account the particular form of the 
initialization axiom JSjl. 
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State changes can occur right- or left-continuously. It should be clear 
that the above axiomatization with the becomes operators does not force any 
item to transition either right- or left-continuously; in fact, the operator allows 
both possibilities. Over dense time, however, it would have been possible to 
force transitions to occur either always right- or always left-continuously. For 
instance, right-continuity can be achieved in one of the following ways: 

• add formulas such as Q{st — Si) ^ Si] 



Correspondingly, the whole formalization could have been simplified a bit taking 
into account this new property. 

Unfortunately however, it is not difhcult to see that all solutions would 
yield very poor discrete-time over-approximations, where by very poor we mean 
comprising only very trivial behaviors, and thus offering a very weak support to 
verification. For instance, the over- and under-approximations of Q{st — Si) ^ 
Si would require st to stay equal to Si forever once it takes such value. Intuitively, 
this is due to the fact that a fine-grained information such as the edge of items 
at transition points is lost with a finite-precision sampling. There may be work- 
arounds for this, but it seems that they are overly complex. On the other hand, 
forgetting about characterizing transitions as right- or left-continuous allows 
us to get a much more straightforward axiomatization while still getting our 
approximations to work reasonably well. 

4 Discrete-Time Approximations of Timed Au- 
tomata 

Let us show how to compute the under- and over-approximation of formulas 
([THH]) in a suitable way. 

4.1 Under-approximation 

The particular form of formulas p"H^.([¥| is unsuitable to produce under-ap- 
proximations that are strong enough to be useful. 

Let us first of aU notice that ng (0(/3)) = 0[o i]if^) and (t^iP)^ = 

[0 In fact, over dense time, the definition of the nowon operator can 

be rewritten equivalently as: (i A U^-q _^^j(/3, T) V A R^q _L), whose 

under-approximation is: (3 A Ul^(/3, T) V A R^{[3,1). Over discrete time, 
the latter is equivalent to (3 y ^[3 A 0=i(/3) = *^[oi](^)- Correspondingly, 
Vts (A(^i,/32)) = 0[o AOjq i^iP^)- Then, for /3i,/32 that cannot hold at the 

same instant (i.e., A/32)), this approximation is a suitable discrete-time rep- 
resentation of a transition from (3i to (32- However, consider Vis {^^{/3i, P2)) = 



(0(-/3i) V -/32 A 0(-/32) I - V[o,i](-/3i)V-/32AO[o,i](-/32) = [o,i](-/3i)V 



Vis {^A{Pi, (32)) 7^ (A(/3i, /32)); since we use A(/3i,/32) to describe transi- 
tions, there are discrete-time behaviors where such a transition both occurs and 



• add formulas such as ^ I 0(st = Si) A C){st = sj) 
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does not occur, i.e., fls (A(/3i,/32)) and Qs (~'A(/3i, /32)) are both true. Second, 
fig (-iA(/9i, /?2)) is very weak, in that it is true, in particular, whenever /?i or 
132 are false; since A(/3i,/92) is often used as antecedent of implications in our 
axiomatization, such implications are trivially true because -i/3i V is an 
identity when /3i, P2 cannot hold at the same instant. 

This demands a thorough revision of the axiomatization, in order to make 
it amenable to under-approximations. 

4.1.1 A New Axiomatization 

The new axiomatization basically replaces every occurrence of A(/3i,/32) with 
A(/3i:/?2)- Hence, formulas JTHH),© are changed as follows (notice that also S 
is changed into S , as we are explaining shortly) . 



A.{st, Si, Sj) 



A /\ (A(-rs„rs,) V A(rs„-rs,)) (7) 

(8) 



iA(st, Si,Sj) 



A(-rs„rSc) => Y A(st, , s^^) 

k 

A(rs„-rs,) \/ A (st, , 4) V \/ □ [o,+oo) (rSc A st = sq) (9) 

k soGSo 



E{c<k) EE rsc A 0(o,fe)(-rSc) V -rs^ A (o,fc) (rSc) 
S(c>fc) = rsc A □(o,fc_5)(rSc) V -rs^ A □ (q^^.^, (-rs^) 

Let us now show that the new axiomatization — where formulas (IT]-[2|) , (jj]) 
are replaced by the new formulas ([3-l9]) — is indeed equivalent to the old one. 

Proof that (UP ijf ([^. Let us first show that H]) implies ([7]), so let t be the 

current instant, assume that H]) and the antecedent k{st, Si, Sj) of ([7]) hold: we 
establish that the consequent of ([7]) holds. A{st, Si, Sj) means that st = Sj at i 
and St = Sj =/= Si at t + S; hence there must be a transition instant t' of item st 
somewhere in [t,t + S]. Then ^ evaluated at t' entails that t' is a transition 
instant for some propositions rsdcgA*^ as well. Let d £ C be anyone of such 
clocks and assume that A{rsd, -^rsd) holds at t' . Let us first assume t' e {t,t + d); 
correspondingly, from the non-Berkeleyness assumption, rs^ holds over [t, t') and 
-irsd holds over {t',t + 5]. In particular, rs^ holds at t and -irs^ holds at t + S, 
so A(rsd, -irsd) holds at t. Otherwise, let t' = t, so st changes its value left- 
continuously at t. Then, again from ([T]) and the non-Berkeleyness assumption, 
rsd also changes its value left-continuously, so rs^ holds at t and -irs^ holds at 
t + S. Finally, iit' = t + S, st changes its value right-continuously at t' , so rs^ also 
changes its value right-continuously, so rs^ holds at t and -irs^ holds at t + 6. In 
all, since d is generic, and the same reasoning applies for the converse transition 
A{^rsd, rSd), we have established that AcsA'' (^("""^c, rSc) V A(rSc, ~'i'Sc)) holds 
at t. 
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Next, let us establish ^(^'^) from ^(C*^). Let us first consider some ^{d < k) 

such that 0(''Sd)A (q [.^{^rsd) at t' . So, let t" G {f — k, t') be the largest instant 
with a transition from -irs^ to rs^- Note that it must actually be t" G {t' — k,t] 
because t' — t < 5 and the non-Berkeleyness assumption. If t" G {t' — k,t) C 
{t — k,t) then rs^ A (> (o fc)(~'''Sd) holds at t, hence S (d < fc) is established. If 

t" — t then rSd switches to true right-continuously at t, so rs^ A Q){^rsd) at t 

which also entails E {d < k). The same reasoning applies if 0(~'''Sc) A (o k) (''^c) 

holds at t' . Finally, consider some E{d> k) such that 0(''Sd) A D^q k){''^d) holds 
at t, thus rSd holds over {t — k,t). From t < t' + 6 we have t' + (5 — fc>t + fc 
so (i' — A; + S,t') C (t — k,t), which shows that D(^q k-5){''^d) holds at t'. The 
usual reasoning about transition edges would allow us to establish that also rs^ 

holds at t' . Since the same reasoning applies if Qi{^rsd) A D^o k)i^''^d), we have 

established that S (d > fc) holds at t' . Since d is generic, we have that S {^^) 
holds at t'. 

Let us now prove ([7]) implies U]), so let t be the current instant, assume that 
([7]) and the antecedent A(st, Si, Sj) of ([T]) hold: we establish that the consequent 
of ([T]) holds. So, there is a transition of st from Si to Sj ^ Si at t; from 
the non-Berkeleyness assumption we have that st = Si and st = Sj hold over 
[t — d,t) and {t,t + 6], respectively. If the transition of st is left-continuous 
(i.e., st — Si holds at t), consider ([7]) at t, where the antecedent holds. So, 

E:(^'') a AceA*" (A(-'rSc, rsc) V A(rSc, -rSc)) holds at t for some k. Let d <E 
be such that k{-^rsd, rs^) holds, that is ^rs^ holds at t and rs^ holds &t t + 5. 
This entails that there exists a transition point t' G [<, i + 5] of rSd- However, 
t is already a transition point, thus it must be t' = i; this shows A(-irSd, rs^) 
at d. Recall that d is generic, and the same reasoning applies for the converse 
transition from rs^ to ^rsd- If, instead, the transition of st is right-continuous 
(i.e., st = Sj holds at t), we consider ([T]) a.tt — 5 and perform a similar reasoning. 
All in all, we have established that AceA'= ('^(^''^c, rSc) V A(rSc, ~'rSc)) holds at 
t. 

The clock constraint formula S(^'^) can also be proved along the same lines. 
For instance, assume that the transition of st at t is left-continuous and QjifSd) 
holds at t for some d ^ C , and consider a constraint S (d < fc) at t. We have 

that (Q f.-^{-^rSd) must holds at i, which establishes that S(d < k) holds at t. 
Similar reasonings apply to the other cases. □ 

Proof that ([!]) iff ([Sp. Let A(st, s^, Sj) holds at t. we prove that A(st, Si, Sj) 

at some t' . If the transition of st at t is right-continuous let t' = t + 5, else let 
t' = t. From the non-Berkeleyness assumption we have that st = Sj aX t~\- 5 and 
st = Si at i — 6. Correspondingly, A(st, Si,Sj) holds at t' because st = Si at t' 
and st = Sj at t' -f 5. 

For the converse, let A(st, Si,Sj) holds at t; we prove that A(st, Si,Sj) at 
some t' . This is immediate because st — Si aX t and st = Sj at t + 5 entail that 
there exists a transition instant t' G [t, t + 5] where A(st, Si, Sj) holds. □ 

Proof that iff (9^. The proof of this part is along the same lines as for 
the proof that (P) iff (O. □ 
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In the following sub-sections we are going to compute under-approximations 
of these new equivalent axiomatization, thus showing that the results are indeed 
much more satisfactory than with the original axioms. In fact, we can already see 
that ris (A(/3i,/?2)) = /3i A 0=i(/32) = -(-/3i V 0=i(-/32)) = ^^5 (-A(/?i, /Jz)), 
thus solving the fundamental problem with the previous axiomatization. 

4.1.2 Clock Constraints 

Let us consider the under-approximations of clock constraints; they are both 
straightforward. 



ns(^ic<k)] = rsc A 0[o,fe/5](-rSc) V -rSc A [o^fe/^j (rs^) 

ns (c > k)] = rsc A □ [i_fc/5_2] (rsc) V -rs^ A □ [0,^/5-2] (^rs^) 



4.1.3 Formulas (HHH) 

From the preliminaries, it is straightforward to re-write ([7]) in normal form, com- 
pute the under approximation, and re-write the resulting discrete-time formula 
as: 

A(st,s„Sj) Yf^i (^(f'^)) A /\ (A(-rSc,rSc) V A(rsc,-rsj) (10) 

k cGA'= 

The under-approximation of ([S]) is also straightforward: 

-.A(st, Sj,Sj) (11) 



4.1.4 Formulas dHHlD 

Formula ^ has a structure similar to formula ([7]); so we immediately compute 
its under-approximations as: 

A(-rs„rSc) ^ \/A(st,sf,4) 

k 

A(rsc,-rsc) ^ YA(st,sf,sf) V \/ □ [o,+oo) (rSc A st = sq) (12) 
Also, simply Qs (®) = ©• 



4.1.5 Formulas ([IHe]) 

Formula ^ is unchanged under under-approximation (after noticing that 
0[Q (0) is equivalent to 0(0) when the antecedent of ^ holds), so fls (©) — 
©. Formulas are straightforward to under-approximate, and they pro- 

duce discrete-time formulas that are perfectly adequate. 

Next, let us consider ^ instead. Since Qs (^"'^(-L)^ = T, we first re-write 
it as: 

□[A-,+oo](^) ^ A ^ 0[0.25] ( A ) ^ V = *0 (13) 

cec \cec / sqeSo 
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Let us discuss why (|13p and ([5]) are equivalent, when considered together with 
the other axioms. holds precisely over [Q,S), thus (fO)) asserts that: 

• rSc holds over [0,S) for all c £ C; 

• rSc switch to false at some istart G [(5, 2(5] for all c e C; 

• St = So holds for some sq G Sq over [0, 5); note that is must be the same 
So throughout the interval, still because of the non-Berkeley assumption; 

• because of the non-Berkeleyness assumption, if st changes in {S, 2S] it does 
so together with the resets at ^start! 

• A(rSc, -TSc) holds over [istait — S, istart) for all c G C; the consequent of ([9|) 
is true because of the disjunct □ jo,+oo) (Acgc ''^c A st = so) which holds 

throughout [0, tstart)- 

All in all the new initialization formula forces a behavior which is the same as 
in the original one. Then, given that fls (^^^ [5 +oo) (^)) — 0(T) which holds 
everywhere except at 0, we compute fi^ f p5|) V 

at 0: /\ rs, A Oj^ ^] ( A ^''^^ ) ^ V = *o (1"^) 

where 0[o 2] (Acgc """^c) has been rewritten as 0[i 2] (Acec """^c) because Acsc ''^c 
holds at 0. 

In addition, we notice the following fact. Assume that Acec "'''^c holds at 1; 
then Q can require a state transition only for instants > 1. Otherwise, assume 
that AceC "'''^c holds at 2 at that some resets switch at 1, i.e., there exists a 
D d C such that: (a) rSc at 0, (b) AceD ''^c at 1, and (c) Acec """^c 

2. Then, @ requires a state transition at 1. All in all, (|12p can be rewritten 

equivalently without the VsoeSo '-^[0 +00) (''^c A st = so) part if it is evaluated 
only at instants > 1. 

4.2 Over-approximation 

Formulas (HHS]) are in a form which is unsuitable to compute useful over-approx- 
imation. Hence, we follow the same path as for the under-approximation: we 
introduce a different, albeit equivalent, continuous-time axiomatization, which 
is then amenable to over-approximation. 

4.2.1 Preliminaries 

Let us consider a generic Boolean combination [3 and let us compute the follow- 
ing over-approximations (clearly, the justifications for those with past operators 
are the same as for the future operators, so they are omitted for brevity): 

• (0(/3)) -□[o,i](/3)- 

From the definition of the nowon operator, we have: ()^i{(3,T) V (-i/3 A 
R^_i{P, -L)). Over discrete time, it is easy to check that U>;^(/3, T) is 
equivalent to on the other hand, the second disjunct -i/3 A 

R>_-^(/3, _L) is equivalent to ±, as when d < the interval [0, d) is empty. 
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• 0.-(0[o,25](/5)) =0.i(/3). 

• (oip)) = Os (b(/3)) = □[o,i](/3)- 



• Os (-A(/3i,/?2)) = -(A(/3i,/32) V A(/3i,/32)), assuming /3i,/32 cannot hold 
at the same instant. 

Recah the definition of A(/3i,/52), so -.A(/3i,/32) = Ohl^i) V (-./32 A 
0(-/32)). Thus, 05(-A(/3i,/32)) = □[o,i](-/3i) V (-/32 A □[04](-/32)) = 
□ [Q V DjQ (~'/32)- By pushing negations outward in the latter, we 

get: -(V[o,i](/3i)AOro,i](/32)), which is equivalent to ^(A(/3i,/32) V A(/3i,/32)) 
if pi, f32 cannot hoM at the same instant. 

4.2.2 Clock Constraints 

It is not difficult to compute the over-approximations of the "existential" clock 
constraint. In fact, we have: 

05(S(c<fc)) = □[o,i](rSc) A V[i,fc/5-i](-rSc) V □ [q^ij (-rs^) A V[i,fe/5_i] (rs^) 

On the contrary, we have to "massage" the "universal" clock constraints into 

a more suitable form; otherwise, e.g., 0^ ^□(q ([.-((rSc)^ — □ (rSc) but 

the latter is never satisfiable if c is both checked and reset when a transition is 
taken. We can, however, perform a transformation where 5(c > k) becomes: 

S(c>fc) = O(rsc) A □[,^fc)(rs,) V b(-rs,) A □ [,^,) (-rs,) 

which is seen to be equivalent for non-Berkeley behaviors at transition points 
(when clock constraints are evaluated). Hence, we have: 

05(S(c>fc)) EE □[o i](rSc) A □[o,fc/5+i](rSc) V □ [0,1] (-rs^) A □ [o,fc/5+i] (-rs^) 

4.2.3 Attempting Formula ([T]) 

It is not difhcult to see that formula ([1]) yields a very poor over-approximation. 
In particular, the portions in the consequent corresponding to the clock resets: 
A(-irSc, rSc) V A(rSc, -^rSc) become, when over-approximated: 



O5 (^O(rSc) A (-rSc V 0(-rs,)) V O(-rSc) A (rs^ V O(rSc)) j = 

n[o,i](''Sc) /\ (-rs, vn[o i](-rSc)) V [Ilfo^iil-rSc) A (rs, V i](rs,)) (15) 

Clearly, the above discrete-time formula is unsatisfiable, as, for instance, 
□ [Q i](rSc) is in contradiction with -irSc V Djq -|^j(-irSc). Similar problems arise 
with the over-approximations of formula (jj]). 

As a consequence, the over-approximation axioms would only be satisfiable 
with behaviors where the antecedents are identically false. It is not difficult to 
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realize that such behaviors would be the trivial ones, where no transition ever 
happens. This in turn would contradict (the over-approximation of) formula 
©. So, overall, we end up with a set of over-approximated axioms which are 
unsatisfiable; clearly, this is of little interest for checking non-validity, as an 
unsatisfiable set of axioms entails any property. 

4.2.4 A New Axiomatization 

However, we can rewrite our axioms in a form which is equivalent but which 
yields much better discrete-time over-approximations. 

Let us rewrite formulas as follows (formulas ([IHSl) are instead un- 

changed) . 



A{st, Si, Sj) ^ y 



( 



□ (-TSc) A □^^(st = Sj =^ rSc 



\ O(rsc) A □=5(st Sj =^ -rSc) / 



(16) 



A(^rse, rSc) => Y f 0(st = s ■ ) A D^g (rs^ ^ st = sj' 

k ^ 

A(rsc,-rsc) \/ (o{st ^ s'^) AD^s{^rSc ^ st = s 

k ^ 

V V [^[i.+oojli-Sc Ast = So) 



(17) 



We claim that these new axioms describe the same behaviors as the original 
axioms (UHll)- 

Proof that ([I]) iff ( fJ Since the antecedents of ([T]) and ([T6|) are the same, 
we just have to prove that the consequents are equivalent, assuming that the an- 
tecedents hold. So let A(st, s^, Sj) hold at the current instant t; this means that 
item St transitions from Si to Sj . In particular, notice that the non-Berkeleyness 
requirement for S entails that Sj holds at least over the interval {t, t + 6]. 

Now, let d E C. Note that C){rsd) at t iff st = sj ^ rsd at t + 5, because t 
is a transition point, so the non-Berkeleyness requirement entails that rs^ holds 

throughout {t,t + 6]. Hence, A(^rsrf, rs^) iff 0{^rsd) An^5(st = Sj => rs^), at t. 
Since the reasoning holds for a generic clock, and also for the converse transition 
from rsrf to -rSd, and S(^*'') is the same in both ([T]) and (fTH)) we have proved 

that (HI) iff mi). □ 

Proof that iff 7| ). Proofs along the very same lines can be provided for 
formulas formulas ^ and pT]) . We only notice that the term D^q +oo) (''^c A st = sq) 

has been equivalently changed to □ (rSc A st = sq). In fact, ([5|) entails that 
st = So holds throughout [0,(5], hence A(rSc,-'rSc) is false over [0,6). We omit 
all other details for brevity. □ 
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A(^rsc,rsc) VA(-rSc,rSc) => Y (^D [q^ij (st = s*^) A □[g ^] (rSc =^ st = 

fe 

A(rsc,-rsc) V A(rsc,-'rsc) Y ( □ ^.i] (st ) A □[0^2] (""'Sc ^ st : 



4.2.5 Formulas (HHH) 

The newly built formula (|16p is now amenable to over-approximation. In fact, 
we have the following discrete-time formula. 

A(st, S,;, Sj) V A(st, Si, Sj) ^ 

/ / □[o.i](^rSc) An[0 2](st = Sj ^ rSc) \ \ 

V Os{E{e))AK^^. ^ V (18) 

k \ \ □[o,i](rSc) A □[0,2] (st = Sj ^ -rs,) J J 

Notice instead that the over-approximation of ^ is simply: 

-(A(st, s,, Sj) V A(st, Si, Sj)) (19) 

4.2.6 Formula 

Formula (jl7p has a structure similar to formula (|16p : so we immediately compute 
its over-approximations as: 

V V °[o,+oo)(rScAst = so) (20) 

so£So 

4.2.7 Some Simplifications 

In this section we show how to re-write discrete-time formulas (IT51 - BD)) above in 
a simpler but equivalent form. 

Let us start by noting that the formulas have a similar structure, and in 
particular have antecedents that are structurally identical, the only difference 
being the items they predicate about. In fact, these antecedent describe a 
transition of an item from a value to another value; so (fTSl) describes a transition 
of item St from Si to sj, (PO)) a transition of some rSc, etc. 

Let us consider a generic current instant h where the antecedent of (jl8p 
holds and let us spell out what form the transition of st can take. A(st, Si, Sj) V 
A(st, Si, Sj) holds precisely in the following three cases: 

1. St = Si holds at ft- — 1 and st = Sj holds at h; 

2. st = Si holds at ft. — 1 and st = Sj holds at ft + 1; 

3. st = Si holds at ft and st = Sj holds at ft -f 1. 

We are going to show that case [T] is in contradiction with the other axioms, and 
therefore can be removed from the axiomatization. 

So, assume that st — Si holds at ft — 1 and st — Sj holds at ft. The consequent 
of (fTSl) is then contradictory: □ jq ]^](-irSc) implies that rSc is false at ft, but 
□ jQ 2](st = Sj ^ rSc) implies that rSc is true at ft because st = Sj is the case. All 

similarly if Djq i](rSc) holds. 
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It is simple to see that similar contradictions arise if we consider a transition 
for rSc from false to true (or true to false) for some c £ C. We conclude that we 
should never consider transitions as in case[TJ 

Now, notice that if case [U never holds, case [5] reduces to case El In fact, 
it cannot be st = Sj at h or we would have case [1] so it must be st = Si at 
h. All in all, every antecedent in formulas (fTSH^O)) can be simplified into just 
A(st, Si, Sj) = st = Si A 0=i(st = Sj) and similar ones. 

Finally, notice that also formula (|19p can be simplified into just -iA(st, s^, Sj). 
To see this, assume to the contrary that st = Si holds at /i — 1 and st — sj holds 
at /i, for some pair of states Si, Sj which do not belong to any transition. In this 
case, A(st, Si, Sj) holds at h — l, thus the new formula is false, which shows that 
such a transition cannot occur even with the new, weaker formula. 

All in all, we have formulas ((THH2D]) simplified as follows. 



k{st, Si, Sj) ^ 

/ / i](^rsc) A □[o^2](st ^ 



V 



-^k{st. Si, Sj) 




A(-rs„rSc) \/(n[o,i](st = sf) An[o,2](rSc^st = 4 

k 

A(rsc, -rse) => V (□ [0,1] (st = ) A Dfo^a] (-rs, ^ st = s 



k 



V V □[o,+^)(rs,Ast-5o) (23) 



4.2.8 Formulas (I3]),{I5H6]) 

Notice that simply O5 O) = dl) and Oa (jS])) = ©. 

For (O notice that 05|^-in(_L)^ — 0[i.+oo)(T) which holds everywhere 
except at 0. Thus, we can write O5 ((O) as: 

at 0: /\ rs, A 0=i I /\ -rs, J A \/ □[0,1] (st = sq) (24) 

c£C VcSC / soGSo 

Notice that (p4|l entails that □ [q +00) (''^c A st = sq) holds for some sq G 5*0 at 0. 

Correspondingly, (^0)) can be rewritten equivalently without the VsogSo ^ [o.+oo) (''^c A st = sq) 
part if it is evaluated only at instants > 1. 



4.3 Summary 

The following proposition summarizes the results of the discrete-time approxi- 
mation formulas. 
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Proposition 3. Let S be a real-time system described by timed automaton 
A = (S, S, Sq, a, C, E) and by a set of MTL specification formulas {4>^j^}j over 
items in I and propositions in V . Also, let i^p^p be another MTL formula over 
items in I U {st : 5, in : E} and propositions in V U R. Then: 

• tf: 




^ A1w(0a- (0P^°p)) 

is f^-valid, then ^p^p is satisfied by all non-Berkeley runs b £ of the 
system (with istart e (6,26)); 




is not ¥f-valid, then (^p^p is not satisfied by all non-Berkeley runs 6 G /B^ 
of the system (with tgtart G (<5, 25) ). 

5 Implementation and Example 

This section describes briefly the implementation of the verification technique 
introduced in the previous section and it discusses an example of system verified 
with the resulting tool. 

5.1 TAZot 

We implemented the verification technique of this paper as a plugin to the Zot 
bounded satisfiability checker [SUES] named TAZot. The plugin provides a set 
of primitives by which the user can provide the description of a timed automa- 
ton, of a set of MTL axioms, and a set of MTL properties (to be verified). The 
tool then automatically builds the two discrete-time approximation formulas of 
Proposition [31 These are checked for validity over time W bounded by some 
user-defined constant; the results of the validity check allows one to infer the 
validity of the original dense-time models, according to Proposition [31 

More precisely, the verification process in TAZot consists of three sequential 
phases. First, the discrete-time MTL formulas of Proposition[31are built and are 
translated into a propositional satisfiability (SAT) problem. Second, the SAT 
instance is put into conjunctive normal form (CNF), a standard input format 
for SAT solvers. Third, the CNF formula is fed to a SAT solving engine (such 
as MiniSat, zChaff, or MiraXT) for the validity checking. 
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Figure 1: Timed automaton modeling the communication protocol. 
5.2 A Communication Protocol Example 

We demonstrate the practical feasibility of our verification techniques by means 
of an example, where we verify certain properties of a communication protocol, 
modeled through a timed automaton. 

5.2.1 Description of the Protocol 

Let us consider a server accepting requests from clients to perform a certain 
service (the exact nature of the service is irrelevant for our purposes). Initially, 
the server is idle in a passive open state. At any time, a client can initiate a 
protocol run; when this is the case, the server moves to a try state. Within Ti 
time units, the state moves to a new si state, characterizing the first request of 
the client for the service. The request can either terminate within T2 time units, 
or time-out after T2 time units have elapsed. When it terminates, it can do so 
either successfully [ok) or unsuccessfully (fco). In case of success, the protocol 
run is completed afterward, and the server goes back to being idle. In case of 
failure or time-out, the server moves to a new S2 state for a second attempt. The 
second attempt is executed all similarly to the first one, with the only exception 
that the system goes back to the idle state afterward, regardless of the outcome 
(success, failure, or time-out). 

The timed automaton of Figure [T] models the protocol. Recall that the 
definition of clock constraints given in Section 12.31 forbids the introduction of 
exact constraints such as A^T2. Hence, we mean clock constraints in the form 
C = T as a shorthand for the valid clock constraint T < C < T + 6, where 
S is the chosen sampling period. In other words, we approximate exact clock 
constraints to within a tolerance which is given by the time granularity 5. 

5.2.2 Properties of the System 

Let us describe the properties we verified using our technique. We verified 
5 properties of a single instance of the automaton, and 2 other properties of 
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a concurrent run of two (or more) instances of the automaton, synchronized 
according to additional MTL axioms described below. We included a false 
property among the former 5, in order to show how the verification technique 
works at disproving false properties. 

Single instance properties. 

1. "If there is a success, the server goes back to idle without passing through 
error states." 

oki V ok2 U(koi V ko2, idle) 

2. "If there is a failure, the server goes back to idle without passing through 
success states." 

koi V ko2 U(oki V ok2, idle) 

This property is false, and in fact counterexamples are produced in the 
tests. 

3. "A full run of the protocol executes in no more than Ta time units." 

try ^ 0(o,T3)(idle) 

This property, as it is, falls in the incompleteness area of the method. In 
fact, whether a run is completed in T^/S time instants depends sensibly 
on how the sampling is chosen, so the method cannot conclude anything 
within its accuracy. However, if we slightly weaken the property by chang- 
ing T3 into T3 + (5 the method is successful in verifying the property. In 
the tables, the (verified) property — modified in this way — is labeled [31. 

4. "The first attempt of the protocol is initiated no later than 2Ti +T2 + 6 
time units after the run has been initiated." 

Sl (o,2Ti+T2+<5)(try) 

5. "A run is terminated within T3 time units after a successful outcome, 
without going through failure states." 

oki ^ U(o j,3)(-i(koi V ko2),idle) 

Concurrent run properties. Let us now assume that the server runs two 
concurrent instances of the same protocol. Since the two processes run on the 
same hardware, it is reasonable to assume that the outcomes of two parallel 
protocol runs will be correlated. More precisely, we assume that two parallel 
protocol runs that are initiated concurrently either both terminate successfully, 
or both terminate unsuccessfully. To formalize this assumption, we augment our 
operational model with the following MTL axiom, where corresponding states 
of the two automata instances are differentiated by a superscripted A or B: 

try-^ A try^ =^ 

U (-(touts'^ Vkoa-^), ok/ Vok2^) A U (-(tout2^ V koa^^), oki^ V ok2^) 

V 

U (-(ok/ V ok2'^), tout2^ V ko2^) A U (-(ok/ V oka^^), touts'^ V ko2^) 

(25) 
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It is also simple to conceive a generalization of ([^5)) to iV > 2 concurrent 
runs, where we re-state the same property for every pair of instances, that is: 

VI < i < j < : try* A try-^' ^ 

U(-.(tout2' Vko2*),oki' Voka') A U(-.(tout2-'' V koa^'), oki''' V oka''') 

V 

U(-(okiWok2'),tout2Wko2') A U(-(okiJ' V ok2^'), tout2^ V ko2^) (26) 

Correspondingly, we introduce the following two properties to be verified in 
this concurrent system. 

6. "If at some time one process succeeds and the other fails, then they have 
not begun the current run together." 

ok2^ A k02^ 5(0^^3) (-(try-^ A try^), try-^ V try^) 

7. "If at some time one process succeeds and the other failed recently, then 
they have not begun the current run together." 

ok2'^ A V (o,Ti) (koa'') S(^o,t,) H^^y^ A try^), try^ V try^) 

5.3 Experimental Evaluation 

Tables [5] shows some results obtained in tests with TAZot verifying the prop- 
erties above. In all tests it is (5 = 1. For each test the table reports: the 
checked property; the number iV^ of parallel protocol runs, according to which 
the discretizations are built; the values of other parameters in the model (i.e., 
Ti,T2,T3); the size k of the explored state space (as Xot is a bounded satis- 
fiability checker); the total amount of time and space (in MBytes) to perform 
each phase of the verification, namely formula building (FB), transformation 
into conjunctive normal form (CNF), and prepositional satisfiability checking 
(SAT); and the total size (in thousands of clauses) of the prepositional formulas 
that have been checked. 

The tests have been performed on a PC equipped with an AMD Athlon64 X2 
Dual Core Processor 4000-f , 2 Gb of RAM, and Kubuntu GNU/Linux (kernel 
2.6.22). TAZot used GNU CLisp v. 2.41 and MiniSat v. 2.0 as SAT-solving 
engine. 

The experiments clearly shows that the formula building time is usually neg- 
ligible; the satisfiability checking time is also usually acceptably small, at least 
within the parameter range for the experiments we considered. On the contrary, 
the time to convert formulas in conjunctive normal form usually dominates in 
our tests. This indicates that there is significant room for practical scalability of 
our verification technique. In fact, from a computational complexity standpoint, 
the SAT phase is clearly the critical one, as it involves solving an NP-complete 
problem. On the other hand, the CNF routine has a quadratic running time. 

Another straightforward optimization could be the implementation of the 
TA encoding directly in CNF, to bypass the sat2ciif routine. This can easily 
be done, because the structure of the formulas in the axiomatization is fixed. 
In conclusion, we can claim safely that the performances obtained in the tests 
are satisfactory in perspective, and they successfully demonstrate the practical 
feasibility of our verification technique. 
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Table 2: Checking properties of the communication protocol. 
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6 Conclusion 



In this paper, we introduced a verification technique to perform a partial verifi- 
cation of real-time systems modeled under a dense-time model and using mixed 
operational and descriptive components. The technique relies on discretization 
techniques introduced in previous work [16] . It is fully automated and imple- 
mented on top of a discrete-time bounded satisfiability checker. We experi- 
mented with a significant example based on the description of a communication 
protocol, where concurrent runs of the protocol are synchronized by means of 
additional MTL formulas, hence building a mixed model. Verification tests 
showed consistent results and significantly good performances. 
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